SlideShare uma empresa Scribd logo

Ofer Maor - OWASP Top 10

C
CSAIsrael
1 de 24
Baixar para ler offline
OWASP Israel & Introduction to OWASP Top 10 Ofer Maor CTO, Hacktics Chairman, OWASP Israel CSA Israel Convention Dec 2010 Copyright © 2009 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation http://www.webappsec.org/ http://www.owasp.org/
OWASP World OWASP is a worldwide free and open Everyone is free to participate in community focused on improving the OWASP and all of our materials are security of application software. available under a free and open software license. Our mission is to make application security visible so that people and The OWASP Foundation is a 501c3 organizations can make informed not-for-profit charitable organization decisions about application security that ensures the ongoing availability risks. and support for our work. December 2010
OWASP Worldwide Community Membership Chapters Participants Individual: 750 158 around world 1,470 Wiki accounts Organizations: 27 +20,000 users 3 December 2010
OWASP Dashboard Worldwide Users Most New Visitors 250 200 29,748,796 page views 150 100 50 0 01/10/2002 01/10/2003 01/10/2004 01/10/2005 01/10/2006 01/10/2007 December 2010 4
OWASP KnowledgeBase •9,421 total articles •427 presentations •200 updates per day •+300 mailing lists •180 blogs monitored •19 deface attempts •2,962 uploaded files December 2010
OWASP Top Ten (2010 Edition) http://www.owasp.org/index.php/Top_10 December 2010
OWASP AppSec Guides Free and open source Cheap printed copies Covers all critical security controls Hundreds of expert authors All aspects of application security December 2010 7
Many Other Projects… OWASP Top 10 AppSec Guides Application Security Verification Standard OWASP Software Assurance Maturity Model WebGoat WebScarab CSRF Tester / CSRF Guard OWASP Live CD OWASP Enterprise Security API More… December 2010 8
About OWASP Israel Local Israeli Chapter Over 700 registered users (Bigger than NYC!) (If you‟re not in – now is the time to register) https://lists.owasp.org/mailman/listinfo/owasp-israel Activities Monthly Meetings Annual Conference OWASP Top 10 – Hebrew Translation December 2010 9
OWASP Top 10 – 2010 The Top 10 Most Critical Web Application Security Risks Ofer Maor CTO, Hacktics Chairman, OWASP Israel CSA Israel Convention Dec 2010 Copyright © 2009 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation http://www.webappsec.org/ http://www.owasp.org/
What’s Changed? It’s About Risks, Not Just Vulnerabilities • New title is: “The Top 10 Most Critical Web Application Security Risks” OWASP Top 10 Risk Rating Methodology • Based on the OWASP Risk Rating Methodology, used to prioritize Top 10 2 Risks Added, 2 Dropped • Added: A6 – Security Misconfiguration • Was A10 in 2004 Top 10: Insecure Configuration Management • Added: A10 – Unvalidated Redirects and Forwards • Relatively common and VERY dangerous flaw that is not well known • Removed: A3 – Malicious File Execution • Primarily a PHP flaw that is dropping in prevalence • Removed: A6 – Information Leakage and Improper Error Handling • A very prevalent flaw, that does not introduce much risk (normally) December 2010
OWASP Top 10 Risk Rating Methodology Threat Attack Weakness Weakness Business Technical Impact Agent Vector Prevalence Detectability Impact 1 Easy Widespread Easy Severe ? 2 Average Common Average Moderate ? 3 Difficult Uncommon Difficult Minor 1 2 2 1 Injection Example 1.66 * 1 1.66 weighted risk rating December 2010
OWASP Top Ten (2010 Edition) http://www.owasp.org/index.php/Top_10 December 2010
A1 – Injection Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter Interpreters… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, Hibernate, etc… SQL injection is still quite common • Many applications still susceptible (really don‟t know why) • Even though it‟s usually very simple to avoid Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access December 2010
A2 – Cross-Site Scripting (XSS) Occurs any time… • Raw data from attacker is sent to an innocent user‟s browser Raw data… • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client Virtually every web application has this problem • Try this in your browser – javascript:alert(document.cookie) Typical Impact • Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites December 2010
A3 – Broken Authentication and Session Management HTTP is a “stateless” protocol • Means credentials have to go with every request • Should use SSL for everything requiring authentication Session management flaws • SESSION ID used to track state since HTTP doesn‟t • and it is just as good as credentials to an attacker • SESSION ID is typically exposed on the network, in browser, in logs, … Beware the side-doors • Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Typical Impact • User accounts compromised or user sessions hijacked December 2010
A4 – Insecure Direct Object References How do you protect access to your data? • This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access A common mistake … • Only listing the „authorized‟ objects for the current user, or • Hiding the object references in hidden fields • … and then not enforcing these restrictions on the server side • This is called presentation layer access control, and doesn‟t work • Attacker simply tampers with parameter value Typical Impact • Users are able to access unauthorized files or data December 2010
A5 – Cross Site Request Forgery (CSRF) Cross Site Request Forgery • An attack where the victim‟s browser is tricked into issuing a command to a vulnerable web application • Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request Imagine… • What if a hacker could steer your mouse and get you to click on links in your online banking application? • What could they make you do? Typical Impact • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details December 2010
A6 – Security Misconfiguration Web applications rely on a secure foundation • Everywhere from the OS up through the App Server • Don‟t forget all the libraries you are using!! Is your source code a secret? • Think of all the places your source code goes • Security should not require secret source code CM must extend to all parts of the application • All credentials should change in production Typical Impact • Install backdoor through missing OS or server patch • XSS flaw exploits due to missing application framework patches • Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration December 2010
A7 – Insecure Cryptographic Storage Storing sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Databases, files, directories, log files, backups, etc. • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance • Business gets sued and/or fined December 2010
A8 – Failure to Restrict URL Access How do you protect access to URLs (pages)? • This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References A common mistake … • Displaying only authorized links and menu choices • This is called presentation layer access control, and doesn‟t work • Attacker simply forges direct access to „unauthorized‟ pages Typical Impact • Attackers invoke functions and services they‟re not authorized for • Access other user‟s accounts and data • Perform privileged actions December 2010
A9 – Insufficient Transport Layer Protection Transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data is sent • On the web, to backend databases, to business partners, internal communications • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident • Business gets sued and/or fined December 2010
A10 – Unvalidated Redirects and Forwards Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren‟t validated, attacker can send victim to a site of their choice Forwards (aka Transfer in .NET) are common too • They internally send the request to a new page in the same application • Sometimes parameters define the target page • If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks Typical Impact • Redirect victim to phishing or malware site • Attacker‟s request is forwarded past security checks, allowing unauthorized function or data access December 2010
Thank You! Questions? December 2010 24

Recomendados

Owasp o
Owasp oOwasp o
Owasp oSagar Nangare
 
V Com Tem
V Com TemV Com Tem
V Com Temelizabethkcarroll
 
Lead Generation Conference 2012 Korolivski Mitci
Lead Generation Conference 2012 Korolivski MitciLead Generation Conference 2012 Korolivski Mitci
Lead Generation Conference 2012 Korolivski MitciКоролівські митці
 
Pps
PpsPps
PpsSueChorney
 
Dr. David Movshovitz - Navajo SaaS
Dr. David Movshovitz - Navajo SaaSDr. David Movshovitz - Navajo SaaS
Dr. David Movshovitz - Navajo SaaSCSAIsrael
 
Native American Coordination and Consultationestions
Native American Coordination and ConsultationestionsNative American Coordination and Consultationestions
Native American Coordination and Consultationestionsalan_gold
 
Guy Bejerano: A practical view of cloud security
Guy Bejerano: A practical view of cloud securityGuy Bejerano: A practical view of cloud security
Guy Bejerano: A practical view of cloud securityCSAIsrael
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 

Recomendados

Owasp o
Owasp oOwasp o
Owasp oSagar Nangare
 
V Com Tem
V Com TemV Com Tem
V Com Temelizabethkcarroll
 
Lead Generation Conference 2012 Korolivski Mitci
Lead Generation Conference 2012 Korolivski MitciLead Generation Conference 2012 Korolivski Mitci
Lead Generation Conference 2012 Korolivski MitciКоролівські митці
 
Pps
PpsPps
PpsSueChorney
 
Dr. David Movshovitz - Navajo SaaS
Dr. David Movshovitz - Navajo SaaSDr. David Movshovitz - Navajo SaaS
Dr. David Movshovitz - Navajo SaaSCSAIsrael
 
Native American Coordination and Consultationestions
Native American Coordination and ConsultationestionsNative American Coordination and Consultationestions
Native American Coordination and Consultationestionsalan_gold
 
Guy Bejerano: A practical view of cloud security
Guy Bejerano: A practical view of cloud securityGuy Bejerano: A practical view of cloud security
Guy Bejerano: A practical view of cloud securityCSAIsrael
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationIslam Azeddine Mennouchi
 
OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP BulgariaZero Science Lab
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
Do You... Legal?
Do You... Legal?Do You... Legal?
Do You... Legal?Ludovic Petit
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory LectureG. Geshev
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita Ionel
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelHubert Gregoire
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction alessiomarziali
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
Security of internet
Security of internetSecurity of internet
Security of internetOWASPKerala
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Aryan G
 
Owasp top 10_-_2013
Owasp top 10_-_2013Owasp top 10_-_2013
Owasp top 10_-_2013Edho Armando
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Bee_Ware
 

Mais conteúdo relacionado

Semelhante a Ofer Maor - OWASP Top 10

OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory LectureG. Geshev
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita Ionel
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelHubert Gregoire
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciMatteo Meucci
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoEoin Keary
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE Magno Logan
 
Security of internet
Security of internetSecurity of internet
Security of internetOWASPKerala
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Aryan G
 
Owasp top 10_-_2013
Owasp top 10_-_2013Owasp top 10_-_2013
Owasp top 10_-_2013Edho Armando
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Bee_Ware
 

Semelhante a Ofer Maor - OWASP Top 10 (20)

Owasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentationOwasp top 10_-_2010 presentation
Owasp top 10_-_2010 presentation
 
OWASP Bulgaria
OWASP BulgariaOWASP Bulgaria
OWASP Bulgaria
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
Do You... Legal?
Do You... Legal?Do You... Legal?
Do You... Legal?
 
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
[OWASP-Bulgaria] G. Geshev - Chapter Introductory Lecture
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tour
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
OWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de NoelOWASP top10 2017, Montpellier JUG de Noel
OWASP top10 2017, Montpellier JUG de Noel
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Owasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo MeucciOwasp london training course 2010 - Matteo Meucci
Owasp london training course 2010 - Matteo Meucci
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
OWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and ManicoOWASP Free Training - SF2014 - Keary and Manico
OWASP Free Training - SF2014 - Keary and Manico
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
Security of internet
Security of internetSecurity of internet
Security of internet
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Owasp top 10_-_2013
Owasp top 10_-_2013Owasp top 10_-_2013
Owasp top 10_-_2013
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 

Ofer Maor - OWASP Top 10

  • 1. OWASP Israel & Introduction to OWASP Top 10 Ofer Maor CTO, Hacktics Chairman, OWASP Israel CSA Israel Convention Dec 2010 Copyright © 2009 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation http://www.webappsec.org/ http://www.owasp.org/
  • 2. OWASP World OWASP is a worldwide free and open Everyone is free to participate in community focused on improving the OWASP and all of our materials are security of application software. available under a free and open software license. Our mission is to make application security visible so that people and The OWASP Foundation is a 501c3 organizations can make informed not-for-profit charitable organization decisions about application security that ensures the ongoing availability risks. and support for our work. December 2010
  • 3. OWASP Worldwide Community Membership Chapters Participants Individual: 750 158 around world 1,470 Wiki accounts Organizations: 27 +20,000 users 3 December 2010
  • 4. OWASP Dashboard Worldwide Users Most New Visitors 250 200 29,748,796 page views 150 100 50 0 01/10/2002 01/10/2003 01/10/2004 01/10/2005 01/10/2006 01/10/2007 December 2010 4
  • 5. OWASP KnowledgeBase •9,421 total articles •427 presentations •200 updates per day •+300 mailing lists •180 blogs monitored •19 deface attempts •2,962 uploaded files December 2010
  • 6. OWASP Top Ten (2010 Edition) http://www.owasp.org/index.php/Top_10 December 2010
  • 7. OWASP AppSec Guides Free and open source Cheap printed copies Covers all critical security controls Hundreds of expert authors All aspects of application security December 2010 7
  • 8. Many Other Projects… OWASP Top 10 AppSec Guides Application Security Verification Standard OWASP Software Assurance Maturity Model WebGoat WebScarab CSRF Tester / CSRF Guard OWASP Live CD OWASP Enterprise Security API More… December 2010 8
  • 9. About OWASP Israel Local Israeli Chapter Over 700 registered users (Bigger than NYC!) (If you‟re not in – now is the time to register) https://lists.owasp.org/mailman/listinfo/owasp-israel Activities Monthly Meetings Annual Conference OWASP Top 10 – Hebrew Translation December 2010 9
  • 10. OWASP Top 10 – 2010 The Top 10 Most Critical Web Application Security Risks Ofer Maor CTO, Hacktics Chairman, OWASP Israel CSA Israel Convention Dec 2010 Copyright © 2009 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation http://www.webappsec.org/ http://www.owasp.org/
  • 11. What’s Changed? It’s About Risks, Not Just Vulnerabilities • New title is: “The Top 10 Most Critical Web Application Security Risks” OWASP Top 10 Risk Rating Methodology • Based on the OWASP Risk Rating Methodology, used to prioritize Top 10 2 Risks Added, 2 Dropped • Added: A6 – Security Misconfiguration • Was A10 in 2004 Top 10: Insecure Configuration Management • Added: A10 – Unvalidated Redirects and Forwards • Relatively common and VERY dangerous flaw that is not well known • Removed: A3 – Malicious File Execution • Primarily a PHP flaw that is dropping in prevalence • Removed: A6 – Information Leakage and Improper Error Handling • A very prevalent flaw, that does not introduce much risk (normally) December 2010
  • 12. OWASP Top 10 Risk Rating Methodology Threat Attack Weakness Weakness Business Technical Impact Agent Vector Prevalence Detectability Impact 1 Easy Widespread Easy Severe ? 2 Average Common Average Moderate ? 3 Difficult Uncommon Difficult Minor 1 2 2 1 Injection Example 1.66 * 1 1.66 weighted risk rating December 2010
  • 13. OWASP Top Ten (2010 Edition) http://www.owasp.org/index.php/Top_10 December 2010
  • 14. A1 – Injection Injection means… • Tricking an application into including unintended commands in the data sent to an interpreter Interpreters… • Take strings and interpret them as commands • SQL, OS Shell, LDAP, XPath, Hibernate, etc… SQL injection is still quite common • Many applications still susceptible (really don‟t know why) • Even though it‟s usually very simple to avoid Typical Impact • Usually severe. Entire database can usually be read or modified • May also allow full database schema, or account access, or even OS level access December 2010
  • 15. A2 – Cross-Site Scripting (XSS) Occurs any time… • Raw data from attacker is sent to an innocent user‟s browser Raw data… • Stored in database • Reflected from web input (form field, hidden field, URL, etc…) • Sent directly into rich JavaScript client Virtually every web application has this problem • Try this in your browser – javascript:alert(document.cookie) Typical Impact • Steal user‟s session, steal sensitive data, rewrite web page, redirect user to phishing or malware site • Most Severe: Install XSS proxy which allows attacker to observe and direct all user‟s behavior on vulnerable site and force user to other sites December 2010
  • 16. A3 – Broken Authentication and Session Management HTTP is a “stateless” protocol • Means credentials have to go with every request • Should use SSL for everything requiring authentication Session management flaws • SESSION ID used to track state since HTTP doesn‟t • and it is just as good as credentials to an attacker • SESSION ID is typically exposed on the network, in browser, in logs, … Beware the side-doors • Change my password, remember my password, forgot my password, secret question, logout, email address, etc… Typical Impact • User accounts compromised or user sessions hijacked December 2010
  • 17. A4 – Insecure Direct Object References How do you protect access to your data? • This is part of enforcing proper “Authorization”, along with A7 – Failure to Restrict URL Access A common mistake … • Only listing the „authorized‟ objects for the current user, or • Hiding the object references in hidden fields • … and then not enforcing these restrictions on the server side • This is called presentation layer access control, and doesn‟t work • Attacker simply tampers with parameter value Typical Impact • Users are able to access unauthorized files or data December 2010
  • 18. A5 – Cross Site Request Forgery (CSRF) Cross Site Request Forgery • An attack where the victim‟s browser is tricked into issuing a command to a vulnerable web application • Vulnerability is caused by browsers automatically including user authentication data (session ID, IP address, Windows domain credentials, …) with each request Imagine… • What if a hacker could steer your mouse and get you to click on links in your online banking application? • What could they make you do? Typical Impact • Initiate transactions (transfer funds, logout user, close account) • Access sensitive data • Change account details December 2010
  • 19. A6 – Security Misconfiguration Web applications rely on a secure foundation • Everywhere from the OS up through the App Server • Don‟t forget all the libraries you are using!! Is your source code a secret? • Think of all the places your source code goes • Security should not require secret source code CM must extend to all parts of the application • All credentials should change in production Typical Impact • Install backdoor through missing OS or server patch • XSS flaw exploits due to missing application framework patches • Unauthorized access to default accounts, application functionality or data, or unused but accessible functionality due to poor server configuration December 2010
  • 20. A7 – Insecure Cryptographic Storage Storing sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data gets stored • Databases, files, directories, log files, backups, etc. • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident, such as forensics, sending apology letters, reissuing thousands of credit cards, providing identity theft insurance • Business gets sued and/or fined December 2010
  • 21. A8 – Failure to Restrict URL Access How do you protect access to URLs (pages)? • This is part of enforcing proper “authorization”, along with A4 – Insecure Direct Object References A common mistake … • Displaying only authorized links and menu choices • This is called presentation layer access control, and doesn‟t work • Attacker simply forges direct access to „unauthorized‟ pages Typical Impact • Attackers invoke functions and services they‟re not authorized for • Access other user‟s accounts and data • Perform privileged actions December 2010
  • 22. A9 – Insufficient Transport Layer Protection Transmitting sensitive data insecurely • Failure to identify all sensitive data • Failure to identify all the places that this sensitive data is sent • On the web, to backend databases, to business partners, internal communications • Failure to properly protect this data in every location Typical Impact • Attackers access or modify confidential or private information • e.g, credit cards, health care records, financial data (yours or your customers) • Attackers extract secrets to use in additional attacks • Company embarrassment, customer dissatisfaction, and loss of trust • Expense of cleaning up the incident • Business gets sued and/or fined December 2010
  • 23. A10 – Unvalidated Redirects and Forwards Web application redirects are very common • And frequently include user supplied parameters in the destination URL • If they aren‟t validated, attacker can send victim to a site of their choice Forwards (aka Transfer in .NET) are common too • They internally send the request to a new page in the same application • Sometimes parameters define the target page • If not validated, attacker may be able to use unvalidated forward to bypass authentication or authorization checks Typical Impact • Redirect victim to phishing or malware site • Attacker‟s request is forwarded past security checks, allowing unauthorized function or data access December 2010
  • 24. Thank You! Questions? December 2010 24